Quote:
Originally Posted by spacemanspiff
Kind of off the "good morning" topic, but I'd be really interested to know how that works out Toby. I've got some SQL databases running on some of our mainstream stuff so I'm always looking out for that kind of stuff.
|
This particular hack has been a pretty prevalent recently.
Over 1.5 million pages affected...
In this case it was on a Windoze box running ASP code on a huge site initially created by someone else 6 or 7 years ago. Any page that pulls dynamic content based on URL parameters is susceptible IF those parameters aren't properly validated before being used to query the database.
The solution in this case was relatively simple. Since the parameter is the index number for the specific page (ex: detail.asp?ID=69) all that has to be done is to convert the parameter value to a long integer before using it in the query string. The ASP function CLng does the job.